[cpuguy83]

The cgroups and namespaces do indeed provide a layer of security. We also drop certain capabilties, so for instance root inside the container can't (by default) manipulate iptables, mount things, change network settings, etc. To come later would also be user namespaces so root inside the container != root outside the container. There's also a significant amount of support within Docker for selinux/apparmor stuff.

Indeed, all these things come together to do exactly what jails does.

Jails do not provide the same security as a VM, just like what Docker does is not providing that same level of security. You are kidding yourself if you think jails does.

It's all layers... like ogres... or onions :)

[Alupis]

I get the PR angle... But over-representing Docker is doing more harm than good. People are reading things like "We would like to add feature X" or "Implementing feature X is on the roadmap", but interpreting it as "Docker does all these things right now". Soon people will be talking about how Docker makes pizza too.

Can Docker be secure? Sure -- is it? No.

[cpuguy83]

These are all things that are there now, except user namespaces (which is indeed huge), not roadmap items.